#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    0
    Rep Power
    0

    Create a logout feature


    I want to create a logout button. Below is my situation:

    The first time the user click on my website, he/she is required to enter password. I use this:

    response.setStatus(response.SC_UNAUTHORIZED); // Ie 401
    response.setHeader("WWW-Authenticate",
    "BASIC realm=\"privileged-few\"");

    During the use of the site on the already-logged-in browser, the user doesn't have to login again. I use:

    String authorization = request.getHeader("Authorization");

    to get the login ID and password.

    Now, I want to create the logout button. I want to reset the "Authorization" parameter in the Header to empty. What should I do?

    Thanks a lot,

    Nam.
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    0
    Rep Power
    0

    Help please


    Hi all,

    I really appreciate if you lead me to some directions. I've tested so many ways but still stuck.

    Thanks a ton.

    Nam.
  4. #3
  5. No Profile Picture
    Moderator =(8^(|)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Feb 2002
    Location
    Sacramento, CA
    Posts
    1,710
    Rep Power
    14
    Have you tried response.setHeader("Authorization", ""); ?
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    0
    Rep Power
    0

    Please help


    No, response.setHeader("Authorization","") does not work. I've been searching for the solution for months. It seems that it's impossible. If you guys have any ideas, I just can't say enough thanks.

    I already describe the problem that I can't create a logout button. I have the same issue when I want to force the user to relogin using the same browser that's idle for 30 minutes.
    ==========
    I use
    response.setHeader("WWW-Authenticate",
    "BASIC realm=\"privileged-few\"");

    for users to login their accounts. If the user's browser is idle for 30 min, I want to invalidate the user's session and force him/her to login again.

    Now, when the login dialog appear, if the user click Cancel, and then refresh the page, he/she can get into the site again without having to login. It is because the request.getHeader("Authorization") returns the same pair of login and password.

    I have tried response.setHeader("Authorization","") before set the WWW-Authenticate..., it doesn't work. How can I achieve this?
  8. #5
  9. No Profile Picture
    Moderator =(8^(|)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Feb 2002
    Location
    Sacramento, CA
    Posts
    1,710
    Rep Power
    14
    From the php manual
    Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button. This behavior is not required by the HTTP Basic authentication standard, so you should never depend on this. Testing with Lynx has shown that Lynx does not clear the authentication credentials with a 401 server response, so pressing back and then forward again will open the resource as long as the credential requirements haven't changed. The user can press the '_' key to clear their authentication information, however.
    another option
    Someone gave me a simple solution to the 'logout' problem: add some sort of timestamp to the basic realm you send in the WWW_Authenticate header. Mine now is: $realm="RealmName ( ".strftime("%c",time())." )";. (btw: the problem was: 1) IE4 asks for the page one more time after a 401, defeating sending a 401 once to force a user to log on again. and 2) IE4 remembers the password, and puts it default in the logon window. Changing the realm solves these problems, not the 'logon failed' message of NS though).
  10. #6
  11. No Profile Picture
    Clueless llama
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Feb 2001
    Location
    Lincoln, NE. USA
    Posts
    2,353
    Rep Power
    117
    For a more reliable way to do this, you may want to "Roll your own" Authentication instead of using the WWW_Authenticate header to get the user and pw.

    I assume since you are manually sending the Authenticate header instead of having the HTTP server do it for you, you are also manually retrieving the username and pw and comparing them yourself to a database or flat file? If so, you might be better off looking for a bean in the session and if it is not there redirecting the user to a login page. The login page submits to a servlet (could be the same one) and if they check out ok, it creates a bean of some sort and stores it in the session. At the same time you use setMaxInactiveInterval(int interval) to set the session to time out in 30 minutes or whatever.

    I don't believe there is a reliable way to keep the browser from returning a previously entered username and pw to a domain it has already authenticated to. Changing the realm is a hack at best. And sending a 401 header may be ignored in the next browser release for all you know.

    Hope this helps.

IMN logo majestic logo threadwatch logo seochat tools logo